lprimak commented on code in PR #2372: URL: https://github.com/apache/shiro/pull/2372#discussion_r2535034675
########## web/src/main/java/org/apache/shiro/web/util/CorsUtils.java: ########## @@ -0,0 +1,52 @@ +package org.apache.shiro.web.util; + +import javax.servlet.http.HttpServletRequest; + +/** + * Utility class for CORS request handling based on the W3. + * + * @see <a href="https://fetch.spec.whatwg.org/#http-cors-protocol";>CORS W3C recommendation</a> + * @since 2.0.6 + */ +public abstract class CorsUtils { + + private CorsUtils() { + } + + /** + * The HTTP {@code Origin} header field name. + * @see <a href="https://tools.ietf.org/html/rfc6454";>RFC 6454</a> + */ + public static final String ORIGIN = "Origin"; + /** + * The CORS {@code Access-Control-Request-Method} request header field name. + * @see <a href="https://www.w3.org/TR/cors/";>CORS W3C recommendation</a> + */ + public static final String ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method"; + + public static final String OPTIONS = "OPTIONS"; + + /** + * Determines whether the given {@link HttpServletRequest} represents a CORS preflight request. + * <p> + * A CORS preflight request is an {@code OPTIONS} request sent by browsers before the actual + * cross-origin request, to verify that the target server allows the actual request's + * method and headers. + * </p> + * + * <p>This method returns {@code true} if and only if:</p> + * <ul> + * <li>The HTTP method is {@code OPTIONS},</li> + * <li>The {@code Origin} header is present, and</li> + * <li>The {@code Access-Control-Request-Method} header is present.</li> + * </ul> + * + * @param request the incoming HTTP request to inspect (must not be {@code null}) + * @return {@code true} if the request is a valid CORS preflight request; {@code false} otherwise + */ + public static boolean isPreFlightRequest(HttpServletRequest request) { + return (request.getMethod().equals(OPTIONS) && + request.getHeader(ORIGIN) != null && + request.getHeader(ACCESS_CONTROL_REQUEST_METHOD) != null); Review Comment: Maybe a check for a blank origin header is necessary? ########## web/src/main/java/org/apache/shiro/web/util/CorsUtils.java: ########## @@ -0,0 +1,52 @@ +package org.apache.shiro.web.util; + +import javax.servlet.http.HttpServletRequest; + +/** + * Utility class for CORS request handling based on the W3. + * + * @see <a href="https://fetch.spec.whatwg.org/#http-cors-protocol";>CORS W3C recommendation</a> + * @since 2.0.6 + */ +public abstract class CorsUtils { + + private CorsUtils() { + } + + /** + * The HTTP {@code Origin} header field name. + * @see <a href="https://tools.ietf.org/html/rfc6454";>RFC 6454</a> + */ + public static final String ORIGIN = "Origin"; + /** + * The CORS {@code Access-Control-Request-Method} request header field name. + * @see <a href="https://www.w3.org/TR/cors/";>CORS W3C recommendation</a> + */ + public static final String ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method"; + + public static final String OPTIONS = "OPTIONS"; + + /** + * Determines whether the given {@link HttpServletRequest} represents a CORS preflight request. + * <p> + * A CORS preflight request is an {@code OPTIONS} request sent by browsers before the actual + * cross-origin request, to verify that the target server allows the actual request's + * method and headers. + * </p> + * + * <p>This method returns {@code true} if and only if:</p> + * <ul> + * <li>The HTTP method is {@code OPTIONS},</li> + * <li>The {@code Origin} header is present, and</li> + * <li>The {@code Access-Control-Request-Method} header is present.</li> + * </ul> + * + * @param request the incoming HTTP request to inspect (must not be {@code null}) + * @return {@code true} if the request is a valid CORS preflight request; {@code false} otherwise + */ + public static boolean isPreFlightRequest(HttpServletRequest request) { + return (request.getMethod().equals(OPTIONS) && + request.getHeader(ORIGIN) != null && Review Comment: Maybe a check for a blank origin header is necessary? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
